Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS credentials in Dockerfile

Tags:

docker

amazon-web-services

amazon-s3

I require files to be downloaded from AWS S3 during container build, however I've been unsuccessful to provide the AWS credentials to the build process without actually hardcoding them in the Dockerfile. I get the error:

docker fatal error: Unable to locate credentials

despite previously having executed:

aws configure

Moreover, I was not able to use --build-arg for this purpose.

My question: is it possible to have these credentials in build time without hardcoding them in the Dockerfile and if so how?

Thank you for your attention.

like image 600
João Matos Avatar asked Aug 13 '18 14:08

João Matos

2 Answers

It is possible to hide the values from docker history. In order to achieve this you must use multistage-build. This will make your history only visible from the second FROM on.

Based on Jack's snippet example:

FROM <base-image>:latest AS first

ARG AWS_ACCESS_KEY_ID
ARG AWS_SECRET_ACCESS_KEY
ARG AWS_REGION=us-west-2

[do something]

FROM <base-image>:latest

COPY --from=first /dir/file_from_first /dir/file

This is a way to hide all the layers created during the first FROM.

like image 35
sebassebas1313 Avatar answered Oct 22 '22 12:10

sebassebas1313

Using the --build-arg flag is the correct way to do it, if you don't mind that the values can be seen by everyone using docker history, however you must use the ARG directive, not the ENV directive to specify them in your Dockerfile.

Here is an example Dockerfile that I have used with AWS credentials. It takes in the aws credentials as build arguments, including a default argument for the AWS_REGION build argument. It then performs a basic aws action, in this case logging into ecr.

FROM <base-image>:latest # an image I have that has `aws` installed

ARG AWS_ACCESS_KEY_ID
ARG AWS_SECRET_ACCESS_KEY
ARG AWS_REGION=us-west-2

RUN aws ecr get-login --no-include-email | bash

CMD ["npm", "start"]

You then build the image with the following command:

docker build -t testing --build-arg AWS_ACCESS_KEY_ID=<Your ID Here> \
    --build-arg AWS_SECRET_ACCESS_KEY=<Your Key Here> .

Please be aware that the values of the --build-arg arguments can be seen by anyone with access to the image later on using docker history.

like image 138
Jack Avatar answered Oct 22 '22 10:10

Jack
Sign in to Comment

Related questions

Geospatial query in DynamoDB
Connect to MySQL database from Lambda function (Node)
AWS Socket Not created by this factory
How to implement AWS IoT(device) in React-Native?
AWS DynamoDB BatchWriteItem - Write Capacity Units
How to integrate AWS Secret Manager with Spring Boot Application
"storage/logs/laravel-2019-11-22.log" could not be opened: failed to open stream: Permission denied
AWS Lambda IP address ranges
Access files in s3n://elasticmapreduce/samples/wordcount/input
SSL problems with S3/AWS using the Java API: "hostname in certificate didn't match"
AWS DynamoDB Query Call (with no results) Cost
How can I sync two amazon buckets using the AWS CLI?
zsh: parse error near `\n' when Adding AWS keys as environment variables
How to pre-warm CloudFront edge servers' cache?
Are AWS S3 Event Notifications guaranteed to be delivered?
How can I serve static web site from s3 through node expressjs?
New IAM admin user sees "You are not authorized to perform this operation"
AWS Athena: use "folder" name as partition
Launching AWS reserved Instances with Terraform
AWS Redshift: Masteruser not authorized to assume role

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!